Pass-through authorization from Windows to Linux
I wanted to somehow get to the Linux machine via PuTTY without entering a password. It turns out this can be done. The truth is a bit more complicated than we would like.
So.
We will configure SSH access on the sshhost host that is in the kerberos domain DOMAN.LOCAL
Pay attention to capital letters. For kerberos, this is critical, so wherever we deal with it, we write the domain name in capital letters.
Input data.
KDC (Key Distribution Center), DNS server and AD controller are the same: dc1.domain.local. Administrator rights in our domain will be owned by the Administrator user. Gentoo Linux is installed on sshhost
')
Some preparations:
The host must resolve to the full name, therefore
1) check the DNS settings twice, and preferably three times.
2) We make direct and reverse resolves of our host (from the Kerberos server)
3) be sure to put our host's FQDN to the first place in the hosts file
configure time synchronization.
well and not to return to this question:
USE flags:
(to use UTF you need to configure it: www.gentoo.org/doc/en/utf-8.xml )
install:
Kerberos Setup
Create the /etc/krb5.conf file:
here you can check:
If said nothing, most likely everything is fine.
You can check with the command klist
All perfectly! We received a ticket from a Kerberos server.
Install Samba
Customize:
Create a directory for home directories of domain users:
We continue to mock samba. add the winbind daemon:
We start:
Join the domain:
enter the administrator password and see:
here I have to reboot
You can check how it works:
Displays a list of all domain users.
configure authorization:
rule /etc/nsswitch.conf
check authentication:
see passwd with domain users? So it works.
Here you can already check whether the domain user can log in:
Add to autoload:
now generate the keytab file:
did not issue anything? it should be, we should have the file /etc/krb5.keytab. This is our “permanent” pass to the domain.
Using keytab we can request tickets for our host without entering a password:
You can add this line to cron.
Configure OpenLDAP
rebuild openssh
enable options in / etc / ssh / sshd_config
Restart
Done!
Simple PuTTY does not support GSSAPI / SSPI. So you need patched
Out of the Box has earned a client from Certified Security Solutions: www.centrify.com/resources/putty.asp
For this purpose, the installation of MIT Kerberos for Windows was recommended : sweb.cz/v_t_m/#putty
Other clients can be viewed on this page: www.chiark.greenend.org.uk/~sgtatham/putty/links.html
If you enter the login manually, then write it as it is set in the variable% UserName%
So.
We will configure SSH access on the sshhost host that is in the kerberos domain DOMAN.LOCAL
Pay attention to capital letters. For kerberos, this is critical, so wherever we deal with it, we write the domain name in capital letters.
Input data.
KDC (Key Distribution Center), DNS server and AD controller are the same: dc1.domain.local. Administrator rights in our domain will be owned by the Administrator user. Gentoo Linux is installed on sshhost
')
Some preparations:
The host must resolve to the full name, therefore
1) check the DNS settings twice, and preferably three times.
2) We make direct and reverse resolves of our host (from the Kerberos server)
3) be sure to put our host's FQDN to the first place in the hosts file
# nano -w /etc/hosts127.0.0.1 sshhost.domain.local sshhost localhost# nano -w /etc/conf.d/hostname
HOSTNAME="sshhost"
configure time synchronization.
# emerge ntp
# nano -w /etc/conf.d/ntp-client
NTPCLIENT_CMD="ntpdate"
NTPCLIENT_OPTS="-s -b -u dc1.domain.local"well and not to return to this question:
# rc-update add ntp-client defaultUSE flags:
# nano -w /etc/make.conf
USE="unicode"(to use UTF you need to configure it: www.gentoo.org/doc/en/utf-8.xml )
install:
# emerge sys-auth/pam_krb5 app-crypt/mit-krb5Kerberos Setup
Create the /etc/krb5.conf file:
# nano -w /etc/krb5.conf
[libdefaults]
ticket_lifetime = 24000
default_realm = DOMAN.LOCAL
dns_lookup_kdc = true
dns_lookup_realm = true
default_tkt_enctypes = rc4-hmac des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = rc4-hmac des3-hmac-sha1 des-cbc-crc
[realms]
DOMAN.LOCAL = {
kdc = dc1.domain.local
admin_server = dc1.domain.local
kpasswd_server = dc1.domain.local
default_domain = DOMAN.LOCAL
}
[domain_realm]
.domain.local = DOMAN.LOCAL
domain.local = DOMAN.LOCAL
[logging]
default = FILE:/var/log/krb5lib.log
here you can check:
# kinit Administrator
Password for Administrator@DOMAIN.LOCAL
#If said nothing, most likely everything is fine.
You can check with the command klist
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@DOMAIN.LOCAL
Valid starting Expires Service principal
00/00/00 17:48:09 00/00/00 00:28:09 krbtgt/DOMAIN.LOCALU@DOMAIN.LOCALAll perfectly! We received a ticket from a Kerberos server.
Install Samba
# USE="kerberos ldap ads winbind" emerge net-fs/sambaCustomize:
# nano -w /etc/samba/smb.conf
[global]
workgroup = DOMAN
netbios name = SSHHOST
server string = Samba Server %v
load printers = no
log file = /var/log/samba/log.%m
max log size = 50
hosts allow = 192.168.1. 127.
hosts deny = 0.0.0.0/0
encrypt passwords = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = no
smb ports = 139
security = ADS
realm = DOMAN.LOCAL
password server = dc1.domain.local
# winbind separator = /
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
winbind use default domain = yes
restrict anonymous = 2
domain master = no
local master = no
preferred master = no
os level = 0
disable netbios = no
dos charset = ASCII
unix charset = UTF8
display charset = UTF8
use kerberos keytab = trueCreate a directory for home directories of domain users:
# mkdir /home/DOMAINWe continue to mock samba. add the winbind daemon:
# nano -w /etc/conf.d/samba
daemon_list="smbd nmbd winbind"We start:
# /etc/init.d/samba startJoin the domain:
# net ads join -U Administratorenter the administrator password and see:
Using short domain name -- DOMAIN
Joined 'SSHHOST' to realm 'DOMAIN.LOCAL'
!here I have to reboot
You can check how it works:
# wbinfo -uDisplays a list of all domain users.
configure authorization:
# mv /etc/pam.d/system-auth{,-old}
# ls -s /etc/pam.d/system-auth-winbind /etc/pam.d/system-authrule /etc/nsswitch.conf
# nano -w /etc/nsswitch.conf
passwd: compat winbind
shadow: compat winbind
group: compat winbindcheck authentication:
# getent passwdsee passwd with domain users? So it works.
Here you can already check whether the domain user can log in:
# ssh -l domainuser sshhost.domain.localAdd to autoload:
# rc-update add samba defaultnow generate the keytab file:
# net ads keytab createdid not issue anything? it should be, we should have the file /etc/krb5.keytab. This is our “permanent” pass to the domain.
Using keytab we can request tickets for our host without entering a password:
# kinit -k -t /etc/krb5.keytab SSHHOST$You can add this line to cron.
Configure OpenLDAP
# nano -w /etc/openldap/ldap.conf
BASE dc=DOMAIN, dc=LOCAL
URI ldap://dc1.domain.local
HOST dc1
SIZELIMIT 12
TIMELIMIT 15
DEREF neverrebuild openssh
# USE="kerberos ldap" emerge --newuse opensshenable options in / etc / ssh / sshd_config
# nano -w /etc/ssh/sshd_config
GSSAPIAuthentication yesRestart
# /etc/init.d/sshd restartDone!
Simple PuTTY does not support GSSAPI / SSPI. So you need patched
Out of the Box has earned a client from Certified Security Solutions: www.centrify.com/resources/putty.asp
For this purpose, the installation of MIT Kerberos for Windows was recommended : sweb.cz/v_t_m/#putty
Other clients can be viewed on this page: www.chiark.greenend.org.uk/~sgtatham/putty/links.html
If you enter the login manually, then write it as it is set in the variable% UserName%
Source: https://habr.com/ru/post/41451/
All Articles